Every new presidential administration brings change, one way or another. Learn what President Joseph Biden is facing on the cybersecurity front, along with some tips for government and businesses.
The past year has been one like no other, and during the pandemic cybersecurity threats have been on the rise with the ubiquity of remote work. United States President Joseph Biden has a lot on his plate, and cybersecurity concerns should be high on his to-do list.
I checked in with Morgan Wright, chief security advisor for SentinelOne, a cybersecurity provider; Chris Roberts, hacker in residence at Semperis, a cybersecurity provider; and Alexander García-Tobar, CEO and co-founder of Valimail, a secure email provider, to obtain their insights on what the new administration’s cybersecurity priorities should be.
SEE: Identity theft protection policy (TechRepublic Premium)
Scott Matteson: What are the cybersecurity gaps we’ve seen from the last administration?
Morgan Wright: The inability to effectively blend cybersecurity threats with intelligence. To be fair, every recent administration has been challenged by this. The Intelligence Community has challenges effectively sharing intel among all members. Adding cyber to this exponentially increases the threat vectors.
Ransomware has caused significant damage and economic loss. While OFAC and Treasury have outlined possible sanctions against ransomware payments, we still struggle as a government to effectively identify and shut down ransomware botnets and organizations. (I get Emotet, but just like when Pablo Escobar was killed, the Medellin cartel didn’t miss a beat with continuing the shipment of cocaine. Take one kingpin out, and another rises to take its place.)
SEE: Emotet malware taken down by global law enforcement effort (TechRepublic)
While not a cybersecurity gap, allowing cryptocurrencies to continue to operate without effective regulation only means crimes like ransomware will continue to grow unabated.
Chris Roberts: With the old administration, there were a lot of communication issues between various government entities as well as a lack of support for the intelligence community overall. General awareness and overall understanding of security risks looks to be improving as the new administration settles in.
Funding for security-related efforts were also an issue, but now there seems to be increased efforts there as well.
Alexander Garcia-Tobar: Cybersecurity gaps certainly exist. As a leader in identity-based anti-phishing solutions, Valimail is particularly focused on email security best practices, as well as email security within the U.S. election infrastructure. Given the vast majority of hacks start with a phish (specifically, 89% of all phishing attacks are a spoof), it’s critical we ensure the U.S. government authenticates all of its email—civilian and military. Today, email is used to notify citizens of critical policy, legal and medical notices, and more. Email is the primary way we confirm interactions with the government. Email is the basis for communications. We must finish what the BOD 18-01 started. Beyond just email authentication, we must also insist on encryption of data, so that even if hacked, the data is useless to the attacker.
It’s also important to note that election security is multifaceted—it isn’t just the physical voting process and the machines. Email communication around election cycles should also be of paramount concern due to the risk of misinformation and manipulation. This threat was more pronounced during the Trump administration but it always exists due to the pervasive nature of email. Ahead of the election, research we conducted showed a lack of adherence to email authentication standards for email domains associated with U.S. presidential campaigns, political action committees (PACs), U.S. state and county governments, and election system manufacturers.
Scott Matteson: What should have been done better?
Morgan Wright: More focus and spending on IT modernization and upgrading our critical infrastructures. There are too many legacy solutions and approaches still being used in day-to-day operations and mission-critical systems.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Chris Roberts: The four main Cs: communication, collaboration, cooperation and coordination, across departments and with industry is something that can be improved with the new administration.
Alexander Garcia-Tobar: The U.S. Election Assistance Commission just approved the first new voluntary voting system guidelines in 15 years. Thankfully, these guidelines did a great job covering multi-factor authentication. Otherwise, the guidelines left a lot to be desired in terms of email security within the U.S. election infrastructure.
First, and most important, the guidelines are voluntary and aren’t funded. The guidelines leave loopholes around data encryption and do nothing to address email authentication, a vital tool in limiting the spread of disinformation. If the U.S. is serious about improving election security, we need a national standard, and it has to be funded.
Scott Matteson: What should President Biden be doing to move forward and protect the country?
Morgan Wright: Create better interagency coordination of human intelligence and cyber threats. The recent operation by Russian intelligence (SVR) that exploited SolarWinds and Microsoft was a failure of intelligence, followed by a failure of detection. Where was our equivalent of Oleg Penkovsky (Code-named HERO) who stopped a nuclear war by telling the U.S. about Russian missiles in Cuba? Effective human intelligence could have identified this latest operation and stopped it in its tracks.
Convene a new non-partisan commission to do a review of the cybersecurity failures over the last 5 years (similar to the 9/11 Commission) and look at new ways and technologies to defend and protect our vital national interests.
Open a conversation about the regulation and management of cryptocurrencies.
Chris Roberts: President Biden is making strides at the moment, calling on technologists to help increase White House security and with funding programs and should continue to focus in these areas to increase security awareness at the state and federal level.
SEE: North Korean hackers find another new target: The defense industry (TechRepublic)
Alexander Garcia-Tobar: Cybersecurity is too important to leave it lumped in with other areas of national security. Valimail applauded President Biden appointing a cybersecurity czar. The sanctity of America’s information systems and election infrastructure is crucial to our security as a nation, our government functions and the preservation of our free and fair elections. Cybersecurity has been reactionary or an afterthought and it needs to be strategic and proactive. Biden does have some efforts he can build on, including the excellent work Chris Krebs did at CISA. We need to strengthen this type of approach and promote, not dismiss, people like Krebs.
It’s very easy to take email security for granted and focus on the cyber risk du jour. However, email is still the most potent vector for attack and it must be treated as the front door to cyber breaches. Bad actors (nation states and criminals) deploy email fraud in 89% of all hacks. This is particularly important in elections as misinformation swirls around these periods. Locking down email as a vector should be at the top of the federal priority list. Equally important, funds need to be made available so that state and local governments can implement protections without friction or delay.
The Biden administration should also create, disseminate and enforce a set of cybersecurity best practices for companies. Too often, companies cut security corners in favor of short-term profitability. The cyber risk is particularly high now, during the pandemic, with so many people working from home. COVID-19 and the structural change of remote work has made people more susceptible to attacks. Not only are workers outside the office, and therefore more vulnerable, they are also using more email and other electronic modes of communications that can be hacked. IT teams are remote and stretched thin, so it’s harder for them to protect and respond. The result: More devastating attacks. The Biden administration needs to implement a minimum security standard for business so workforces retain trust in the system.
Scott Matteson: How can this best be achieved?
Morgan Wright: More investment in artificial intelligence, machine learning, quantum computing, international treaties on cryptocurrency regulation, and review of foreign investment in critical technologies.
Chris Roberts: This can be achieved through better communication and awareness, transparency over voting systems, better integration with the industry as a whole and better recruiting into the government agencies.
Alexander Garcia-Tobar: We must prioritize protecting the U.S. election infrastructure against email-based attacks. Now is an excellent time to prepare our systems before the next midterm elections. The current set of rules recently voted on are not funded, and experts are already saying that this dooms the set of urgently needed changes to post 2022—missing the next election cycle entirely. This is a travesty.
Ninety percent of all hacks start with a fraudulent email. The simple email security basics—email authentication, encryption and MFA—would cover the vast majority of these hacks. These basics also make hacking a lot more complex and expensive, a huge disincentive to most hackers and some nation states.
The Biden administration should encourage widespread DMARC (Domain-based Message Authentication, Reporting and Conformance) and MFA use to improve email security. DMARC protects email domains from being abused and MFA protects stolen credentials from being used. DMARC is already mandated for all civilian federal agencies and the Department of Defense but it needs to be a government-wide mandate, without gaps. The Biden administration should require DMARC for anyone doing business with the U.S. government and should help state and local governments deploy DMARC within the next three years.
To drive meaningful change, the Biden administration should enforce these security directives with deadlines and fund them accordingly.
Scott Matteson: What should businesses be doing to mirror Biden’s solutions?
Morgan Wright: AS COVID causes more and more business to be transacted online, more spending must be allocated to upgrading and modernizing current networks. If an ISAC (Information Sharing Analysis Center) exists for your industry (which by now there should be an ISAC for almost everything), companies should be joining and sharing threat information.
Chris Roberts: Bringing it back to the four C’ again, these are the foundational characteristics for increasing security success across governments and businesses.
Alexander Garcia-Tobar: A version of BOD 18-01 with minimum best practices would be a great first start. Additionally, businesses should look past their four walls to their supply chains. The Russian hack proved this is a huge, glaring weak spot.
Scott Matteson: What should IT pros be aware of?
Morgan Wright: It will get worse before it gets better. This current storm of sophisticated and intelligence-driven operations will continue to grow in scope and evolving tradecraft. Making decisions about what are the most vital assets to defend will be key to surviving the next attack. They should also be aware that if a sophisticated and persistent nation-state actor targets them, the bad actor will find a way in. You should always assume you’ve been breached instead of waiting for it to happen.
SEE: How to combat the latest security threats in 2021 (TechRepublic)
Chris Roberts: Every business and individual needs to be aware of the ever-changing cyber threat landscape and how to more effectively help and secure networks and systems as attacks are becoming increasingly sophisticated.
Alexander Garcia-Tobar: It’s all about the basics (MFA, encryption and authentication). Covering those protects against the vast majority of attacks. The cost of attacks has also been raised so only the most proficient even stand a chance of a successful attack. IT professionals should remember that 90% of all hacks start with a fraudulent email, and 89% of all fraudulent emails start with the sender impersonating a trusted party. Email authentication, when implemented correctly, reduces email fraud to nearly 0%.
Scott Matteson: What should end users be aware of?
Morgan Wright: They continue to be the primary way nation-state actors compromise and attack companies and government organizations. Spear phishing remains the most effective tactic. End users will also have to embrace adaptation and change. All the sophisticated locks in the world do little to prevent an end user from giving someone the key—wittingly or unwittingly.
Chris Roberts: Everything! We need to assume attackers have already made their way into our networks. It’s important to always verify, and even then, question everything. Asking more questions and taking more ownership over individual digital lives will help users to better secure their data and their company’s.
Alexander Garcia-Tobar: Do not trust email that hasn’t been authenticated because the sender could be anyone. Disinformation is a way of life. Verify with trusted sources and cross-check. It’s important to understand where the information came from (another form of authentication).
Scott Matteson: Are there any international situations entangled with this that require the use of sanctions or diplomacy?
Morgan Wright: The continued espionage campaigns by Russia and China constitute a significant threat to our advanced technologies, military secrets and economic health.
The issue of cryptocurrencies requires international cooperation of the finance and IT community. Until the ability to reap financial rewards for ransomware are removed, this malware will continue to evolve in effectiveness.
Alexander Garcia-Tobar: Absolutely. Our work with the federal government and agencies such as USAID shows that hard-working government officials with the best of intentions can be sidelined by unscrupulous players and have funds not arrive, as intended. Sanctions on hackers and an international “code of conduct” are desperately needed.
Scott Matteson: How should the global community be engaged with this?
Morgan Wright: Remove non-extradition protections for certain crimes like ransomware. The U.S. has MLAT’s (mutual legal assistance treaties) with many countries. But an MLAT does not assure extradition.
The creation and deployment of new software supply chain standards will only be as effective as the countries who adopt and enforce them. Once a standard is widely adopted (like IP is), then I think we’ll start to see an impact to nation-state and malware threats.
Scott Matteson: What’s coming in 2022?
Morgan Wright: More investment and focus on the security of the software supply chain. Rebuilding the pillars of trust has to be the primary objective. Also expect more long-term intelligence operations targeting the software supply chain, in addition to traditional and escalating cyber espionage. I expect ransomware to have an inflection point as the number of major players consolidate because of increased enforcements and takedowns.
Chris Roberts: In 2022, we will continue to see advancement in the following areas of security:
- Supply chain attacks
- Transportation (shipping)
- Nanotechnology/Biotechnology attacks and adversarial research
- Big data turning against itself
- Continued use of unsafe passwords and a lack of understanding to protect vulnerabilities.
Alexander Garcia-Tobar: The three basics: MFA, encryption and authentication should be required minimums. These basics should be codified for the government and for any company doing business with the government. There is simply no choice or excuse—we must get this done.
Regarding email security and elections, there should be an explicit call-out in funding to have a national standard in place by 2022, or we will have a whole new election cycle open to manipulation.